[Bug 216942] rc.firewall simple rule ::/96
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Feb 9 17:11:25 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216942
Bug ID: 216942
Summary: rc.firewall simple rule ::/96
Product: Base System
Version: 11.0-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: conf
Assignee: freebsd-bugs at FreeBSD.org
Reporter: jasonmader at gmail.com
CC: freebsd-amd64 at FreeBSD.org
CC: freebsd-amd64 at FreeBSD.org
/etc/rc.firewall SIMPLE sets a couple of IPv6 rules,
# Disallow packets to malicious IPv4 compatible prefix.
deny all from ::224.0.0.0/100 to any via ${oif6}
deny all from any to ::224.0.0.0/100 via ${oif6}
deny all from ::127.0.0.0/104 to any via ${oif6}
deny all from any to ::127.0.0.0/104 via ${oif6}
deny all from ::0.0.0.0/104 to any via ${oif6}
deny all from any to ::0.0.0.0/104 via ${oif6}
deny all from ::255.0.0.0/104 to any via ${oif6}
deny all from any to ::255.0.0.0/104 via ${oif6}
deny all from ::0.0.0.0/96 to any via ${oif6}
deny all from any to ::0.0.0.0/96 via ${oif6}
and a search showed these came from the pages of IPv6 Network Administration:
Teaching the Turtle to Dance. But isn't the second section denying ::0.0.0.0/96
redundant to the first section, since all the specific IPv4 compatible
addresses are subnets of ::/96?
It seems from the book that you would deny ::0.0.0.0/96 if you do not plan to
use any compatible addresses, or the others if you were planning to use
compatible addresses. Not both at the same time as the simple configuration
adds.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-amd64
mailing list